Alex Smith wrote:
> [snip]
> As an aside, I dont see how encrypting the contents of the cookie would
> prevent a spoofing attack, at least not without resorting to additional
> infrastructure tricks on both the client and the server side. Craig, can you
> elaborate? (Btw, you should at least indicate in your signature that you're
> one of the JServ developers lest the readers be led to trust your
> "independent" opinion).
>
> Alex.
>
I agree with you that encrypting the contents of the session cookie is useless
-- I just didn't say it very clearly. The browser you sent the encrypted
session ID cookie to doesn't know it's encrypted, so it just sends it back
unchanged; just as vulnerable to snooping as an unencrypted session cookie
would be.
I happily claim my association with the Apache JServ project when it's relevant
to a particular question being answered. The question of "is it worthwhile to
encrypt a session cookie" doesn't strike me as such a question -- it begs for
general purpose education and illumination, as do your comments about setting
the secure flag on cookies intended for use in an encrypted link. Discussing
things like that makes it less painful to wade through the newbie questions
about class paths, or the totally off topic questions about how to format a
float with two decimals.
More than a few people on this list HAVE thanked me for my "independent"
opinions, so I must be dong something right :-).
And, my most recent projects have not been based on Apache JServ because I
needed Servlet 2.1 + JSP 1.0 support, and we're still all waiting for Godot
(err, waiting for Jakarta ...).
Craig McClanahan
(Affiliated with the Java Apache Project -- http://java.apache.org)
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
